ISACA’s 2014-15 Board Chair Robert E Stroud passed away Monday, 3 September 2018. He was struck by a vehicle while jogging on Long Island, New York, USA. Stroud was 55 years old.

Stroud brought boundless energy and enthusiasm into everything he did for ISACA—and those contributions were many. During his term as board chair, he was a driving force in the launch of ISACA’s Cybersecurity Nexus™ (CSX). Prior to that, he was international vice president of ISACA, a member of the Strategic Advisory Council and Governance Committee, and chair of ISACA’s International Organization for Standardization (ISO) Liaison Subcommittee. He was a COBIT champion and contributed to COBIT 4.0, 4.1 and 5, and numerous COBIT mapping documents. Additionally, he was involved in the creation of ISACA’s Basel II, Risk IT and Val IT guidance. He was deeply engaged with the association for 12 years, serving on more than 15 groups and speaking at countless conferences over that time.

“ISACA lost a dedicated leader, an engaged board member, a passionate colleague and, most notably, a very dear friend,” said ISACA Board Chair Rob Clyde, CISM, in his tribute to Rob Stroud. “Rob was always looking forward to new trends, new challenges and new opportunities so he could best serve his clients, his colleagues, and his friends, whether bonds were just formed or existed for decades. His exuberance lit up the room wherever he went, and he was truly a guiding light and progressive proponent for the association and our professional community. Rob’s enduring spirit of innovation will continue to influence ISACA and our global family for years to come.”

Risk Management and the Paradox of Common Sense

By Jack Freund, Ph.D., CISA, CRISC, CISM

Evidence-based risk management gives us the opportunity to justify our assertions about the state of risk and controls in our organizations. After all, we know that our opinions about risk and controls must be evidenced during our reporting cycles. To reject our opinions about organizational risk is to necessarily reject the fullness of our expertise as security professionals. As a result, we craft a narrative around risk ratings that is based in part on our understanding of technology and on common sense. In other words, we knit together technological narratives and industry zeitgeist into an organizational account of risk that appeals to common sense. After all, common sense explanations are what enable us to better explain risk to executives. Except common sense often fails us.

In Duncan Watts’ 2011 book, Everything is Obvious (Once You Know the Answer), he discusses what he calls the paradox of common sense, namely that our minds are able to provide such ready explanations for what happened that we tend to put more faith in these mental models than they can bear until they ultimately break under the weight of evidence to the contrary. He goes on to explain that:

What we don’t realize, however, is that common sense often works just like mythology. By providing ready explanations for whatever particular circumstances the world throws at us, common sense explanations give us the confidence to navigate from day to day and relieve us of the burden of worrying about whether what we think we know is really true, or is just something we happen to believe.

How are we testing to ensure that our assertions about the state of risk are more than convenient narratives we have worked out to allay any nagging concerns we may have about the unknown in our technology environments? How can we be sure that our risk reports are not simply the byproduct of our own biases conveniently propped up by our own minds’ ability to help prove us right despite evidence to the contrary?

Many have proposed the use of industry standards and lists of best practices to help ensure the uniform application of a minimum baseline. Still others have proposed a “diligence method” that largely is a list of security tactics, compiled by an expert subject, and the organization's ability and resources to implement them. Such approaches, however, are still based on the sometimes-faulty narratives that our minds create to explain the way the world works. In other words, we create lists of control practices to illustrate the way attackers and network defenders interact in the hopes that the next attack will play out the way our story foretold.

Cybersecurity professionals do not need a primer on being cynical; we have got that on lock. However hard it may be, we need to harness that cynicism and apply it to ourselves. Seek out alternative narratives about risk. Actively attempt to prove yourself wrong. Ensure that your peers have had the chance to challenge your work. Seek sources of quantitative data to support the assertions and risk ratings you publish. And above all else, be sure to list the assumptions and limitations of your work. We can never offer absolute certainty, as risk is necessarily a forward-looking statement of potential harm. To purport that any future state is certain based simply on one’s own experiences is no better than a mythological tale.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director of cyberrisk management for TIAA, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.

Cloud Security Virtual Summit

ISACA News

Source: Frank Peters;Getty Images

Attend ISACA’s free, half-day virtual summit to demystify cloud security with other IS/IT professionals, business professionals and experts from around the world. In the “Virtual Summit–Cloud Security,” explore how the cloud introduces threats to your enterprise information and how to mitigate those threats. This virtual summit offers live presentations, opportunities to connect with peers around the world and insights on cloud security best practices. You will also:

Gain expert insight and guidance on the challenges and possibilities for maximizing the value of cloud services while minimizing security concerns.

Engage with a panel of top professionals in a round-table discussion centered on cloud security’s challenges, benefits and future direction.

Earn up to 4 free continuing professional education (CPE) hours.

ISACA and Adobe will present the “Virtual Summit–Cloud Security.” The event takes place on 18 September at 9AM CDT (UTC -5 hours), and ISACA members can earn CPE hours by attending the summit.

Cyberthreats’ unpredictability makes preparing and planning for them daunting. Uncertainty lurks around cryptocurrency, and malware peers around every corner. Knowing more about the current trends allows you and your organization to better respond to these threats.

To help you learn more about the cryptojacking epidemic and mutating malware, ISACA and Fortinet present the “Battling the Cryptojacking Epidemic & Malware Mutations” webinar. It features an in-depth discussion of threat research top trends (such as Internet of Things [IoT] botnets targeting system-on-a-chip [SoC] devices), fileless malware and the mining of digital currency. This webinar takes place on 11 September at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Ladi Adefala, senior security strategist at FortiGuard Labs, is a passionate cybersecurity professional with a broad range of expertise that spans multiple security domains including cybersecurity strategy, solution architectures, security risk assessments, cyberthreat intelligence, and research and cybersecurity training. Adefala will use his experience in the industry to help you understand more about this cyberrisk and protect your enterprise from it.

Do you have knowledge to share with the COBIT community? Share it in COBIT Focus, ISACA’s weekly, peer-reviewed e-newsletter where COBIT users worldwide add to the COBIT body of knowledge by sharing case studies, practical use articles and tips from COBIT trainers.

Writing for COBIT Focus is a flexible process for authors. It is intended to accommodate the needs and preferences of you and your enterprise. Connect with the global community of COBIT users using your professional COBIT experience by writing for COBIT Focus.

It is almost that time of year again—the start of advanced membership renewal and the beginning of ISACA’s 2019 membership and certification renewal season. The official membership and certification renewal kick-off for the upcoming year starts in mid-September. With that in mind, it is important to consider how up-to-date your contact and profile information is on your ISACA account. If you have not updated this information lately or if you would just like to see what is currently listed on your profile and ensure its accuracy, we recommend you do this now—before the renewal season begins.

Reviewing and updating your profile is easy. Simply visit the ISACA website and click on the MyISACA tab to log in to your account. Once you are logged in, click on the MyProfile tab (on the top left of the page) and select the Account-Address-Demographic Info tab. From there, you can review your email address, mailing address, field of employment, current professional activity, etc., to ensure that we have the most up-to-date information for you. To update either your contact information and/or your profile demographics details, select the Edit button at the bottom of the page. Contact Information and My Demographic and Other Information will be shown on 2 separate tabs. Select the appropriate tabs to make the necessary changes. Be sure to click Save my Changes (Continue) at the bottom of the screen before exiting the page.

Having the most up-to-date contact and demographic information will not only assist with the renewal process for 2019, but it will also help us by providing clearer guidance and direction for planning strategic initiatives and developing member-specific programs in the year ahead.